Security researchers have disclosed a vulnerability that was uncovered in Facebook Messenger that could give hackers the ability to modify or remove chats, photos, files or links and even conduct malware campaigns.
Uncovered by cybersecurity firm Checkpoint, the flaw in Messenger impacted both the desktop and mobile application versions and, according to the security experts, could be launched with relative ease due to the attack requiring little coding knowledge.
In a technical description of the flaw, Checkpoint reveals that each message in Facebook Messenger has its own unique ID number, and this is what hackers would exploit. With the help of a simple debug tool, an attacker is able to store the number and then target individual chats.
"Once the attacker has found the message ID, he can alter the content of the message and send it to the Facebook servers. The content is changed without a push message to the users' PC or mobile device," the analysis states.
There are a number of so-called attack vectors that are open to abuse and the outcomes could reportedly have a "severe impact" on users. Hackers could manipulate message histories as part of fraud schemes, tamper with chats to disrupt legal investigations and even use the exploit as a malware distribution vehicle, researchers claimed.
"An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest command and control (C&C) address, and keep the scheme up to date," Checkpoint wrote in a blog post.
In one specific "proof-of-concept" example, the researchers demonstrated how the flaw could be used to spread a form of ransomware. "First, the attacker sends a legitimate message to a potential target [then] the attacker will alter the message to contain an infected link or file," they said. "Next, the hacker can manipulate the same attack vector to overcome one of the biggest challenges standing in the face of ransomware today: maintaining an active command and control server."
"Change a whole chat thread"
Oded Vanunu, head of product vulnerability research at Check Point, elaborated: "By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realising. What's worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations."
Facebook recently revealed that 900 million people are now using its Messenger service across the globe, which left a massive number of users at risk. Luckily, the flaw was only disclosed after it was responsibly reported – giving Facebook's techies the chance to implement a fix.